Manifesto · The Identity Layer

Identity is a layer
of the internet.

Today it's a layer-7 mess — every app's own silo, every breach the same model failing again. xposeTIP is building the layer below: behavioral, addressable, persistent. The foundation that was missing.

We're building infrastructure, not extracting data — the layer returns what the internet already knows to the person it describes.

The Diagnosis

Three numbers. One conclusion.

88%
of web-app attacks use stolen credentials · Verizon DBIR 2025
80–90%
of enterprise data is collected, stored — never used · Gartner
48%
of assisted identity-theft victims still unresolved a year later · ITRC 2024

The credential failed. The collection is wasteful. The subject pays — and is the last to know. That's why identity has to be a layer — and that layer has to be sovereign to its subject.

FOUNDATION

The thesis: identity belongs in the stack.

The internet was designed around addressing machines. IP. DNS. BGP. TLS. Every primitive routes bytes between endpoints. Identity, though, was bolted on at layer 7 — every app reinvents authentication, every silo holds its own record, every breach proves the model is failing at scale.

But there's a signal underneath the silos. When infrastructure rotates, something persists. The IP changes. The hash morphs. The domain rotates. Yet the person behind them — their writing rhythm, their platform mix, their geographic stamps, their interest signature — stays.

Identity is not the credential. It's the behavior. And behavior, observed across enough public sources, becomes addressable. That's the layer.

What the layer looks like

Behavioral. identity reconstructed from observable patterns across public sources, not assumed from registered identifiers
Addressable. any indicator — email, username, phone, wallet — resolves into the same persona graph
Persistent. when infrastructure rotates, the persona survives; matching is on behavioral signature, not on credentials
Composable. identity primitives can be addressed by any tool, queried by any system, and built upon by any implementation

Why this matters now

Identity-aware regulation (NIS2, DORA in the EU) is starting to treat identity as a security primitive, not an application-layer concern.

Cyber-physical threats — supply chain compromises, deepfake-driven fraud, infrastructure rotation by APTs — demand identity context faster than current SOCs can produce it.

The breach epidemic of 2024 — 26B records leaked — proved at scale what we already knew: the silo model has failed. Something has to take its place. We think that something is a layer.

What xposeTIP is — and what it isn't

  • xposeTIP is an early implementation of this layer.
  • xposeTIP is not the layer itself. The layer is bigger than any single tool, and emerges from multiple implementations over time.
  • xposeTIP is operated commercially today — because the layer needs operational economics to mature, and pure open-source rarely funds the long road.

Four principles · How we build this layer

These aren't aspirational. They're constraints we accept upfront, encoded in the product. The layer is only worth building if we build it like this.

PILLAR 01

Ethical OSINT

01

Consent Model

Self-scan: Anyone can scan their own email. Free, no justification needed.

Third-party scan: Requires documented consent — a signed DPA, an employer policy, or explicit written authorization from the data subject.

Bulk scan: Permitted for organizations scanning their own workforce under GDPR Article 6(1)(f) legitimate interest — never for profiling external individuals.

No scan is ever anonymous to us. Every scan is logged with who authorized it, when, and why.

02

Transparency

Every finding shows its source. Every score explains its reasoning. No black boxes. No "trust us" scores. You see exactly what we see.
03

Purpose Limitation

xpose finds exposure to help you reduce it. Every finding comes with a remediation action. We're a shield, not a sword.
04

Right to Delete

Request deletion. We purge everything. Not soft delete. Not "archived." Gone. Your data, your choice.
05

No Dark Patterns

No upsell scare tactics. No inflated scores to push premium plans. A score of 6 means you're fine. We tell you that.

06 — We Will Never

  • Accept contracts for unconsented pre-employment screening
  • Sell, license, or share scan data with data brokers, advertisers, or intelligence agencies
  • Accept military, mass surveillance, or law enforcement contracts for profiling civilians
  • Build facial recognition, social scoring, or predictive profiling features
  • Monetize scan results, even anonymized or aggregated
  • Retain data for users who delete their account — purge is cryptographic, not soft delete
  • Comply with data requests from authoritarian regimes, regardless of legal pressure

These aren't aspirational. They're hardcoded. If a future version of xpose violates any of these, fork the repo and call us out. The code is AGPL-3.0 licensed for exactly this reason.

PILLAR 02

Green Intelligence

The cybersecurity industry runs 256GB RAM clusters to grep logs. We run 179 OSINT scrapers, graph algorithms, and a rules engine on a 7-year-old MacBook. 50 watts.

The Amiga 500 Philosophy

In 1987, demoscene coders made art with 512KB of RAM that still amazes today. Not because they had less — because constraints breed creativity.

Data-driven scrapers (no code per source — just JSON config)
Single PostgreSQL (no distributed cluster)
Celery + Redis (not Kafka + ZooKeeper + 7 brokers)
Pixel art avatars (5.4B combinations, zero GPU, zero API call)
Every architectural decision asks: "is this the lightest way?"

Our Benchmark

Measured on a 2019 MacBook Pro, 50W TDP

xpose Scan

~90s
of compute per scan
~1.25 Wh
energy per scan
~0.9g
CO2 (EU grid avg 722g/kWh)
5
containers, 0 managed services

Typical Cloud OSINT

3-5 min
on m5.xlarge ($0.19/hr)
5-10x
energy footprint
+
Elasticsearch + API costs
12+
containers, 3+ managed services

We don't claim 100x. We claim significantly less — and we show our math.

PILLAR 03

Education First

Most security tools show you a number and say "fix it." xpose shows you WHY.

"Your score is 42 because you reuse the same username across 12 platforms. Here's why that's risky: an attacker who compromises one account can try the same credentials on all 12."

"We found your email in the LinkedIn 2021 breach. This means your password hash was exposed. Even if you changed your LinkedIn password, attackers test these credentials on every other service."

"Your GitHub profile reveals your real name, employer, location, and timezone. This is enough for a targeted phishing email that mentions your company by name."

We don't just scan. We teach.
The goal isn't to make you dependent on xpose. It's to make you not need xpose anymore.

We measure success by how many people improve their score to A — not by how many people renew their subscription.

PILLAR 04

Data Commitment

What we store

  • Scan results (findings, scores, graph) — tied to your workspace, encrypted at rest
  • Account credentials — hashed (bcrypt), never reversible
  • API keys — AES-256 encrypted (Fernet), never stored in plaintext

What we don't store

  • Raw HTML from scraped pages (discarded after extraction)
  • Passwords found in breaches (we note the breach, not the credential)
  • Biometric data (no facial recognition, no voiceprint, no behavioral biometrics)

Retention

  • Active accounts: data retained while account is active
  • Inactive accounts: scan data auto-purged after 12 months of inactivity
  • Deleted accounts: cryptographic purge within 72 hours — not soft delete, not "archived"
  • Workspace deletion: cascade purge of all targets, findings, identities, scans

What we will never do with your data

  • Train AI/ML models on scan results
  • Sell aggregated intelligence reports
  • Share data with any third party without explicit per-instance consent
  • Use scan patterns for competitive intelligence

"Your scan data exists to protect you. The moment it stops serving that purpose, it should stop existing."

Built in Luxembourg — Ethical by constitution, not by marketing.

Open source (AGPL-3.0) so you can verify every claim on this page.

Manifesto v3.1 — Jun 2026